Skipping website and CA and using self-signed certificate?

[ILogOutOnTheToilet]

The "Beginner Tutorial" instructions ask you to create a website and apply for a TLS certificate:
https://xtls.github.io/en/document/level-0/

I managed to get the below example to work with a self-signed certificate and the IP address of my VPS (instead of website) :
https://github.com/XTLS/Xray-examples/tree/main/VLESS-TCP-TLS-WS%20(recommended)

What is the security issue, or any issue at all with this method? Obviously the self-signed certificate I used is not trusted by Windows and Firefox, so I added it to the trusted root or authority and then it works.

There is a warning in the "Beginner Tutorial" saying:

Please do not use self-signed certificates lightly. It does not make the operation much simpler, but adds unnecessary risks (such as man-in-the-middle attacks).

https://xtls.github.io/en/document/level-0/ch06-certificates.html
But how can someone do a man-in-the-middle attack if they don't have my certificate key?

It is so much more convenient to create a self-signed certificate than to make a website and register a domain name, especially if I am visiting a country with restricted internet for only a few weeks or a month.

[i-eat-helicopter]

I think the doc is talking about using allowInsecure in conjunction with self-signed certificates. In that case, it can be MITMed quite easily. Using a locally trusted root CA might invalidate this particular scenario, but the domain owner can still MITM you, that's for sure, since they can just get a valid cert from letsencrypt.

[ILogOutOnTheToilet]

Thanks, so it seems MITM is not possible for self-signed certificates as long as I don't have allowInsecure? So in this case, self-signed certificate with the IP of my VPS is actually more secure? I did not pass allowInsecure at all in the client or server config, so I assume the default is false since default bool is false in Go:

Xray-core/infra/conf/transport_internet.go

Line 398 in ab5d7cf

Insecure bool `json:"allowInsecure"`

[i-eat-helicopter]

so it seems MITM is not possible for self-signed certificates as long as I don't have allowInsecure?

I didn't say that. The real domain owner can still MITM you. Hell, if your government is shady enough, they can use the rootCA they control to do their dirty work. If you are really paranoid about this, pin cert (iirc xray supports this?) or choose protocols that use preshared keys.

[ILogOutOnTheToilet]

I am using the IP of my Virtual Private Server (VPS) in my self-signed certificate, and only I and the VPS has the certificate key copies, so I don't have a domain. I am already trusting the VPS hosting site to not mess with my VPS, so I am not worried about them doing any MITM stuff. I am just trying to clarify the security issue mentioned in the beginner tutorial link and why they don't recommend self-signed certificates:
https://xtls.github.io/en/document/level-0/ch06-certificates.html
As far as I know, the only way for someone to get my key from my VPS (without signing in with my sign-in SSH key) is if my VPS hosting company goes rouge and steals the key from my VPS.